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Zoltan Balazs 


# who ami 



root@kali:~# whoami 
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AV testing 
AV bypass 


# whoami 



root@kali:~# whoami 


OSCP: Occasional Satire Captain Punk 

CISSP: Certified Interspecie-ial Sheep Shearing Professional 

CPTS: Certified Pajama Toaster Specialist 

MCP: Microsoft Certified Psychopath 

OSWP: Official Sexiest Weasel Popstar 

CHFI: Chronic Hopeless Flux Incompetent 

I’m NOT a CEH 
CyberLympics@2012 CTF 

2nd runners up — gula.sh 

Creator of the Zombie Browser Toolkit 

https://github.com/Z6543/ZombieBrowserPack 



Hungary 



READY 

lO PRINT ••HELLO MIKIPEDIA ! •• 

20 GOTO JLO 

RUN| 








I love hacking 







How do you hack high security 
systems? 



How do you hack high security 
systems when you are not Tom Cruise? 


The mission 

I’m a spy (with low budget) 

I want access to a hardened secure RDP (remote 
desktop) server 

E.g. server contains confidential documents 



I need persistent C&C access to the RDP server 


To upload/download files 
Interactive remote code execution 


> Remote Desktop Connection 




Remote Desktop 

><) Connection 


Computer: Example: computer.fabrikam.com 

User name: None specified 

The computer name field is blank. Enter a full remote computer 
name. 


▼ Show Options 


Connect 


Help 













The solution (in an ideal world) 



1. Infect client’s 
desktop 


Infected 

workstation 



Steal RDP password 


LOGIN 3. Connect to RDP 



5. Command and Control 





4. Drop malware 


Secure remote 
desktop server 



6. Profit 









The challenges 

RDP server is not reachable from the Internet 
Directly ... 

Two factor authentication is used to access the RDP server 
No access to the token seeds ;) 

Drive mapping disabled — no direct file copy 
Restrictive hardware firewall 

Allows workstation -> server TCP port 3389 IPv4 only 
Application white list is used on the RDP server 
M$ Applocker in my case with default policy 







Is this realistic? 

Similar environment at a client 
• Had no time to hack it 































Target 

Company 



Infected 

workstation 



Firewall, port 3389 allowed only 




Secure remote 
desktop server 


The Internet 


Attacker 











“In hacking, there is no such thing 
as impossible. 
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Only things that are more 
challenging.” 



Already achieved 


I have remote code execution with C&C on a user’s 
workstation 

I have access to a test RDP server 

I know how the files on the server look like, what services 
are installed 


This is 


post- exploitation 



Why should you care about this? 

Red team/pentester 

• New tools 

Blue team 

• New things to look for during log 
analysis/incident response 

Policy maker/business 

• Funny pictures 



Divide et imp era! 


Divide the problem into smaller pieces and rule them 
all, one by one 

1. drop malware into the RDP server 

2. execute any code on RDP server 

3. elevate to admin privileges 

4. bypass hardware firewall 



Divide et impera! 

Divide the problem into smaller pieces and rule them 
all, one by one 

1. drop malware into the RDP server —> new shiny tool 

2. execute any code on RDP server —> nothing new here 

3. elevate to admin privileges —> nothing new, no Oday for 
you 

4. bypass hardware firewall -> new shiny tool 



1. Drop malware into RDP server 





1. Drop malware into RDP server 


Malware waits for the user to connect to RDP server 
Creates screenshot (or new animation), show in foreground 
Optionally blocks user keyboard, mouse ~20 seconds 
Uses the keyboard and the clipboard — simulates user 

1. Starts M$ Word on RDP server 

2. Drops encoded ASCII payload 

3. Creates Macro code 

4. Macro writes binary 

5. Macro starts binaries 


/J Microsoft Visual basic for Applications - ooicumentuml - ilhisUocument tCode)J 


<& File Edit View Insert Ffirmat Qebug Run Tools Add-Ins Window Help 




















Alternative usage of “user 
simulator” 

1. Add directory to be excluded from AV scans 
use the AY GUI! 

only if the user has the privileges and no UAC 



Install new trusted root certification authority and 
accept warning — and MiTM SSL connections 


CA pinning does not stop 
this attack 


The AV is alive. 

Nope, Chuck Testa ™ 



2. What is Applocker? 


C:\Use rs\ 


\Desktop\ 


x 



Your system administrator has blocked this program. For more information, contact your 
system administrator. 






















2. Execute any code, bypass 
Applocker 

,,AppLocker can only control VBScript, JScript, .bat 
files, .cmd files and Windows PowerShell scripts. It 
does not control all interpreted code that runs within a 
host process, for example Perl scripts and macros. 

Applications could contain flags that are passed to 
functions that signal AppLocker to circumvent the rules 
and allow another .exe or .dll file to be loaded. 

The administrator on the local computer can modify 
the AppLocker policies defined in the local GPO.” 


Execute any code, bypass 
Applocker 

Load DLL with Word Macro! 

Even shellcode execution is possible! 

http:/ /blog.didierstevens.com/2008 706/05/bpmtk- 

how-about-srp-whitelists / 


Private Declare PtrSafe Function LoadLibrary Lib "kernel32" 
Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long 

hLibrary = LoadLibrary(outputdir + M \hack_service.dll ff ) 




3. Elevate to admin 








3. Elevate to admin 

Why do I need admin? 

• It is needed for the last phase, hardware firewall bypass 

Possibilities 

• Local priv esc zero day for Win 2012 

• Exploit unpatched vulnerability 

• Exploit vulnerable 3 rd party program service 

• Etc. 

Processes started with admin (or higher) privileges are 
not restricted by AppLocker! 









Elevate to admin - Service exploit 


C:\> accesschk.exe —1 mvulnservice.exe 

[0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\TERMINAL SERVER USER 
FILE_APPEND_DATA 
FILE_EXECUTE 
FILE_READ_ATTRIBUTES 
F TT E _R F, A DO AT A 
FILE_READ_EA 
FILE_WRITE_ATTRIBUTES 
FILE_WRITE_DATA 
FILE_WRITE_EA 
SYNCHRONIZE 
READ_CONTROLs 
C:\> sc sdshow myvulnservice 
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) 

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWP;;;IU)(A;;CCLCSWLOCRRC;;;SU) 



Elevate to admin - Service exploit 


C:\> accesschk.exe —1 mvulnservice.exe 

[0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\TERMINAL SERVER USER 
FILE_APPEND_DATA 
FILE_EXECUTE 
FILE_READ_ATTRIBUTES 
FTT E_R F, A D P AT A 
FILE_READ_EA 
FILE_WRITE_ATTRIBUTES 
FILE_WRITE_DATA 

file_write_ea 

SYNCHRONIZE 
READ_CONTROLs 
C:\> sc sdshow myvulnservice 
D: (A;;CCLCSWRPWPDTLOCRRC;;;SY) 
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWP;;;IU)(A;;CCLCSWLOCRRC;;;SU) 











What’s the name of the company which published the 
first paper about packet filter firewalls 
in 1988? 



What’s the name of the company which published the 
first paper about packet filter firewalls 
in 1988? 


The company developed VAX 




What’s the name of the company which published the 
first paper about packet filter firewalls 
in 1988? 


Digital 

Equipment 

Corporation 



4. Bypass hardware firewall 


Restrictive firewall 

• No Bind shell 

• No Reverse shell 

• No covert channel 

• DNS, ICMP, IPv6, UDP, proxy 

• No shell!!! 



In a different scenario 

• TCP socket reuse shell possible (not persistent) 

• Webshell (lame) possible 

• But not in this case (no exploit, no Webserver) 


4. Bypass hardware firewall 

First (bad) idea 
After malware dropped, 

mark every packet to be special 

• start with magic bytes 

and let a kernel network filter driver select the packets 
Problem 

• Every (hacker) application has to be rewritten, or rerouted 
through a custom wrapper proxy (both server and client 
side) 






Bypass HW firewall 


Use TCP source port! 

• E.g. port 1337 is always special 

Li mitations 

• NAT from the attacker side 

• But who cares? © 


second idea 
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Bypassing hardware firewalls 
Linux 

Use code at Kernel level (with root) 

if ((tcp_source_port- 1337) && (tcp_dest_port 

=== 22)) then: 

redirect to bind shell on port 31337 

ip tables -t nat -A PREROUTING -p tcp —dport 22 — 
sport 1337 -j REDIRECT — to-ports 31337 




Attacker or 
infected 
workstation 


Src port 
1337 



Firewall, port 3389 allowed only 


Dst port 
3389 


Dst port 
31337 



Secure remote 
desktop server 














Backdoor tr 
inside RDF 5 





Bypassing hardware firewalls on 
Windows x64 

Installing a kernel driver in Windows x64 is not trivial 

• Trusted signed driver is needed 

Thanks to basil for WinDivert project (and Nemea Software 
Development) 

• Trusted signed kernel driver already included! 

• You can interface with the kernel driver 

Alternatively, patchguard bypass could be used 

http://www.codeproject.com/Articles/28318/Bypassing- 

PatchGuard 

Uroburos rootkit — Bring Your Own Vuln 
Install root CA first with user simulator ;) 




How to set TCP source port for 
meterpreter bind shell (or any 
program)? 


Netcat (Nmap build) to da rescue! 


neat -kl 4444 -c 

"neat -p 1337 RDP.SER.VER.IP 3389" 

netcat 



Demo 




Alternative usage of “hw fw 



You have admin on Webserver 

but persistent outbound C&C is blocked 

Instead of local port forward, use netcat to port 
forward to other machines in the DMZ 

Backdoor traffic to hide your 


communication inside the 
legit network traffic 



The solution — as a whole 

Malware waits for the user to login to RDP with 2FA 
Create screenshot from user desktop 
Put screenshot on the screen 
Disable keyboard/mouse 

Drop malware by simulating user keyboard events + 
clipboard for large (ASCII) data transfer 

Start WORD, create new macro code 

Bypass application whitelist using DLL loading from 
Word macro code 



The solution 


Escalate privileges to admin (vulnerable service 
Install hwfwbypass.exe with kernel driver 
Drop meterpreter 
Profit! 






The Internet 


Target 

Company 


Src port 
1337 


Dst port 
3339 


Dst port 
7 


Dst port 
3339 


ire-wall, port 3339 allowed only Secure remote 

desktop server 


Attacker 











Demo 




Demo 2 — as seen by the user 




Lessons learned for red team 


You have two new tools for your post exploitation 

• tool to drop malware into the remote desktop 

• If you have admin on a Windows server, you can 
bypass/fool hardware firewalls using my driver 



Lessons learned for the blue team 


Every additional layer of security can still be bypassed 

Restricted remote desktop is a real interface for 
malware infection 



Use application/protocol aware (NG) firewall instead 
of port based ones 
Can be bypassed ;) 

Don’t trust your firewall logs 

blindly 




Code release now? 



TO VOTE 
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one more thing 



two more things ... 


User simulator available as Metasploit post module 
HW FW bypass available as Metasploit post module 



Hack The Planet! 


https:/ / github.com/MRGEffitas/Wfite-into-screen 

https:/ / github.com/MRGEffitas/hwfwbypass 

20 ltan.bala 2 s@mfg-eff 1 tas.com 
https:/ / hu.linkedin.com/in/ 2bala2s 

Twitter — @2h4ck 
www.slideshare.net/b298 

Greet2 to @hekkcamp 
JumpESPJump.blogspot.com 
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